On 30/09/2016 13:21, Gervase Markham wrote:
On 30/09/16 07:50, Jakob Bohm wrote:
SHA-1 certs until the hardware dies. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
That's not so; I believe most (all?) systems don't check the signatures
on their own embedded root certificates, because they are implicitly
trusted. There are many roots in the Mozilla program with SHA-1
signatures; see the Signature Hash Algorithm column in:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
In fact, there are two with MD5 signatures, although as it happens they
are only trusted for email.
Gerv
Well, at least the intermediaries involved would be SHA-1 and be
checked against the SHA-1-distrust policy?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
